registry  /  @dataforxyz/agent-intercom-orchestrator  /  0.10.0

@dataforxyz/agent-intercom-orchestrator@0.10.0

Pi extension for creating and managing independent Agent Intercom coworkers across Pi, Codex, Claude Code, and OpenCode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This Pi extension creates package-owned orchestration config/state and can start persistent user-systemd agent workers. It also offers explicit update commands for related adapters. No unconsented install-time behavior or remote exfiltration is established.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi extension load writes defaults; explicit `agent_fleet` spawn or update with `execute=true` activates process management or updates.
Impact
Can run configured local agent CLIs and modify package-owned Agent Intercom state; no concrete malicious chain found.
Mechanism
First-party AI-agent orchestration via systemd-run, local launchers, and explicit adapter updates.
Rationale
The package is a first-party agent-extension/orchestration capability with guarded runtime process and update actions, so it merits a warning under the extension lifecycle policy. Source inspection found no install-time mutation of a foreign control surface, exfiltration, stealth persistence, or remote payload execution.
Evidence
package.jsonsrc/index.tssrc/systemd.tssrc/opencode-peer-launcher.mjssrc/updates.tssrc/config.tssrc/store.ts
Network endpoints1
127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/index.ts` is a Pi extension that loads on session start and manages agent workers.
  • `src/index.ts` can launch user-systemd worker units for Pi, Codex, Claude, or OpenCode.
  • `src/updates.ts` generates npm/pi/git update commands, executed only by `agent_fleet update` with `execute=true`.
  • `src/opencode-peer-launcher.mjs` starts a local OpenCode server and writes package-owned peer state.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • No remote HTTP endpoint, credential exfiltration, eval/vm, or dynamic remote payload loading was found.
  • The peer launcher connects only to localhost (`127.0.0.1`) and uses generated local credentials.
  • Destructive operations are scoped to recorded worker units and package-owned Intercom state paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 10 file(s), 102 KB of source, external domains: 127.0.0.1, registry.npmjs.org

Source & flagged code

4 flagged · loading source
src/agent-fleet-cli.mjsView file
1#!/usr/bin/env -S node --experimental-strip-types L2: import { spawn } from "node:child_process"; L3:
High
Child Process

Package source references child process execution.

src/agent-fleet-cli.mjsView on unpkg · L1
src/opencode-peer-launcher.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { randomBytes, randomUUID } from "node:crypto"; L4: import { mkdir, readFile, rename, writeFile } from "node:fs/promises"; L5: import net from "node:net"; L6: import { dirname } from "node:path"; ... L16: L17: const healthPath = process.env.AGENT_INTERCOM_OPENCODE_HEALTH_PATH?.trim(); L18: const statePath = process.env.AGENT_INTERCOM_OPENCODE_STATE_PATH?.trim();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/opencode-peer-launcher.mjsView on unpkg · L1
examples/opencode-manager-env.shView file
path = examples/opencode-manager-env.sh kind = build_helper sizeBytes = 540 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/opencode-manager-env.shView on unpkg
src/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @dataforxyz/agent-intercom-orchestrator@0.9.3 matchedIdentity = npm:[redacted]:0.9.3 similarity = 0.778 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.tsView on unpkg

Findings

4 High5 Medium5 Low
HighChild Processsrc/agent-fleet-cli.mjs
HighShell
HighSame File Env Network Executionsrc/opencode-peer-launcher.mjs
HighPrevious Version Dangerous Deltasrc/index.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperexamples/opencode-manager-env.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License